Thread: Re: [PATCHES] sslmode patch
I had a little problem apply this patch because it had an #ifdef for
elog() parameter passing. Because ereport() is now a macro, you can't
do #ifdef inside a macro _call_, so I did it this way:
#ifdef USE_SSL
#define EREPORT_SSL_STATUS (port->ssl ? "on" : "off")
#else
#define EREPORT_SSL_STATUS "off"
#endif
ereport(FATAL, (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION), errmsg("no pg_hba.conf entry for host
\"%s\",user \"%s\", database \"%s\", SSL \"%s\"", hostinfo, port->user_name, port->database_name,
EREPORT_SSL_STATUS)));break;
Is this the proper way to do it?
---------------------------------------------------------------------------
Bruce Momjian wrote:
>
> Newest patch applied. Thanks.
>
> ---------------------------------------------------------------------------
>
>
>
> Jon Jensen wrote:
> > Folks,
> >
> > At long last I put together a patch to support 4 client SSL negotiation
> > modes (and replace the requiressl boolean). The four options were first
> > spelled out by Magnus Hagander <mha@sollentuna.net> on 2000-08-23 in email
> > to pgsql-hackers, archived here:
> >
> > http://archives.postgresql.org/pgsql-hackers/2000-08/msg00639.php
> >
> > My original less-flexible patch and the ensuing thread are archived at:
> >
> > http://dbforums.com/t623845.html
> >
> > Attached is a new patch, including documentation.
> >
> > To sum up, there's a new client parameter "sslmode" and environment
> > variable "PGSSLMODE", with these options:
> >
> > sslmode description
> > ------- -----------
> > disable Unencrypted non-SSL only
> > allow Negotiate, prefer non-SSL
> > prefer Negotiate, prefer SSL (default)
> > require Require SSL
> >
> > The only change to the server is a new pg_hba.conf line type,
> > "hostnossl", for specifying connections that are not allowed to use SSL
> > (for example, to prevent servers on a local network from accidentally
> > using SSL and wasting cycles). Thus the 3 pg_hba.conf line types are:
> >
> > pg_hba.conf line types
> > ----------------------
> > host applies to either SSL or regular connections
> > hostssl applies only to SSL connections
> > hostnossl applies only to regular connections
> >
> > These client and server options, the postgresql.conf ssl = false option,
> > and finally the possibility of compiling with no SSL support at all,
> > make quite a range of combinations to test. I threw together a test
> > script to try many of them out. It's in a separate tarball with its
> > config files, a patch to psql so it'll announce SSL connections even in
> > absence of a tty, and the test output. The test is especially informative
> > when run on the same tty the postmaster was started on, so the FATAL:
> > errors during negotiation are interleaved with the psql client output.
> >
> > I saw Tom write that new submissions for 7.4 have to be in before midnight
> > local time, and since I'm on the east coast in the US, this just makes it
> > in before the bell. :)
> >
> > Jon
>
> Content-Description:
>
> [ Attachment, skipping... ]
>
> Content-Description:
>
> [ Attachment, skipping... ]
>
> >
> > ---------------------------(end of broadcast)---------------------------
> > TIP 6: Have you searched our list archives?
> >
> > http://archives.postgresql.org
>
> --
> Bruce Momjian | http://candle.pha.pa.us
> pgman@candle.pha.pa.us | (610) 359-1001
> + If your life is a hard drive, | 13 Roberts Road
> + Christ can be your backup. | Newtown Square, Pennsylvania 19073
>
> ---------------------------(end of broadcast)---------------------------
> TIP 1: subscribe and unsubscribe commands go to majordomo@postgresql.org
>
-- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610)
359-1001+ If your life is a hard drive, | 13 Roberts Road + Christ can be your backup. | Newtown Square,
Pennsylvania19073
Bruce Momjian <pgman@candle.pha.pa.us> writes:
> I had a little problem apply this patch because it had an #ifdef for
> elog() parameter passing. Because ereport() is now a macro, you can't
> do #ifdef inside a macro _call_, so I did it this way:
I don't think a non-SSL-enabled build need be pointing that out in every
error message --- the SSL phrase shouldn't even be there in the message.
Accordingly, I'd be inclined to do this:
#ifdef USE_SSL ereport(FATAL, (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION), errmsg("no
pg_hba.confentry for host \"%s\", user \"%s\", database \"%s\", %s", hostinfo, port->user_name,
port->database_name, (port->ssl ? gettext("SSL on") : gettext("SSL off")))));
#else ereport(FATAL, (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION), errmsg("no pg_hba.conf entry
forhost \"%s\", user \"%s\", database \"%s\"", hostinfo, port->user_name, port->database_name)));
#endif
This approach is also more localizable.
regards, tom lane
Excellent idea. Patch attached and applied.
---------------------------------------------------------------------------
Tom Lane wrote:
> Bruce Momjian <pgman@candle.pha.pa.us> writes:
> > I had a little problem apply this patch because it had an #ifdef for
> > elog() parameter passing. Because ereport() is now a macro, you can't
> > do #ifdef inside a macro _call_, so I did it this way:
>
> I don't think a non-SSL-enabled build need be pointing that out in every
> error message --- the SSL phrase shouldn't even be there in the message.
> Accordingly, I'd be inclined to do this:
>
> #ifdef USE_SSL
> ereport(FATAL,
> (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
> errmsg("no pg_hba.conf entry for host \"%s\", user \"%s\", database \"%s\", %s",
> hostinfo, port->user_name, port->database_name,
> (port->ssl ? gettext("SSL on") : gettext("SSL off")))));
> #else
> ereport(FATAL,
> (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
> errmsg("no pg_hba.conf entry for host \"%s\", user \"%s\", database \"%s\"",
> hostinfo, port->user_name, port->database_name)));
> #endif
>
> This approach is also more localizable.
>
> regards, tom lane
>
> ---------------------------(end of broadcast)---------------------------
> TIP 6: Have you searched our list archives?
>
> http://archives.postgresql.org
>
--
Bruce Momjian | http://candle.pha.pa.us
pgman@candle.pha.pa.us | (610) 359-1001
+ If your life is a hard drive, | 13 Roberts Road
+ Christ can be your backup. | Newtown Square, Pennsylvania 19073
Index: auth.c
===================================================================
RCS file: /cvsroot/pgsql-server/src/backend/libpq/auth.c,v
retrieving revision 1.106
diff -c -c -r1.106 auth.c
*** auth.c 26 Jul 2003 13:50:02 -0000 1.106
--- auth.c 26 Jul 2003 15:21:20 -0000
***************
*** 440,454 ****
NI_NUMERICHOST);
#ifdef USE_SSL
- #define EREPORT_SSL_STATUS (port->ssl ? "on" : "off")
- #else
- #define EREPORT_SSL_STATUS "off"
- #endif
-
ereport(FATAL,
(errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
errmsg("no pg_hba.conf entry for host \"%s\", user \"%s\", database \"%s\", SSL \"%s\"",
! hostinfo, port->user_name, port->database_name, EREPORT_SSL_STATUS)));
break;
}
--- 440,455 ----
NI_NUMERICHOST);
#ifdef USE_SSL
ereport(FATAL,
(errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
errmsg("no pg_hba.conf entry for host \"%s\", user \"%s\", database \"%s\", SSL \"%s\"",
! hostinfo, port->user_name, port->database_name, port->ssl ? "on" : "off")));
! #else
! ereport(FATAL,
! (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
! errmsg("no pg_hba.conf entry for host \"%s\", user \"%s\", database \"%s\"",
! hostinfo, port->user_name, port->database_name)));
! #endif
break;
}